Mobile device security management system

ABSTRACT

A method for managing the security of a client device in a mobile device management system (MDMS) comprises receiving a security policy at a client device, applying the security policy on the client device, determining an occurrence of a security policy event, determining a violation based on the occurrence of the security policy event and applying different security controls based on predefined elapsed times on the client device.

BACKGROUND

1. Technical Field

The present invention relates generally to security management of amobile device and, more particularly, to an enterprise-wide,time-dependent security management system for mobile devices based onsecurity policies.

2. Related Art

When it comes to using mobile devices (e.g., smart phones, cell phones,laptop computers, notebook computers, Tablet PCs, Personal DigitalAssistants (PDAs), and the like) as repositories and/or stewards ofsensitive personal information (e.g., bank account details, SocialSecurity numbers, credit card numbers, debit card numbers, etc.) andbusiness information (e.g., access to business e-mail messages,confidential enterprise data, etc.), the number one concern for mostusers is theft or loss of the mobile device. For example, because cellphones are utilized much more often than one's wallet, one's cell phoneis typically easier to lose than one's wallet.

A drawback of existing protection schemes is the requirement that asecurity application is used only when the event (i.e., theft, loss,etc.) occurs which limits the convenience of the mobile device. Forexample, when a mobile device is lost, the user may need to changeinformation related to the mobile device (e.g., by entering a validpassword) immediately or a security breach may occur.Enterprises/companies may be greatly affected with the loss of a mobiledevice. A new approach to an enterprise-level mobile device securitymanagement system is needed. Heretofore, several unsuccessful attemptshave been made to address these shortcomings.

United States Patent Application US20060199598 describes a method thatincludes wirelessly receiving a text string at a mobile phone andparsing the text string to obtain security configuration data of themobile phone and determining whether a code in the securityconfiguration data matches a corresponding code in the mobile phone.

United States Patent Application US20070143824 describes a system andmethod for enforcing security parameters that collects information froma source relating to a mobile device and, based on the collectedinformation, an identity status for the mobile device is determined thatuniquely identifies the mobile device and distinguishes it from othermobile devices.

United States Patent Application US20070232265 describes a system and amethod of security management of a wireless mobile device capable ofreducing damage caused by a security attack and a malicious code in thewireless mobile device by appropriately interoperating with a networkswitching center (NSC).

U.S. Pat. No. 7,665,125 describes a wireless security system thatincludes a client module deployed on a wireless device, a networkmodule, and a server module in which the client module is adapted toauthenticate authorized wireless devices independent of the networkmodule and the server module.

Therefore, what is needed is a solution that addresses at least one ofthe deficiencies of the current art.

SUMMARY

In general, embodiments described herein provide approaches relatinggenerally to location position management of mobile devices.Specifically, a mobile device management system is provided for securinga mobile device based on a predefined security policy. The mobile devicereceives a security policy created at a server, applies the securitypolicy, and monitors the status of the security policy. When a securityviolation of the security policy is detected, a security control measureis applied based on predefined elapsed times on a client.

One aspect of the present invention includes a method for managing thesecurity of a mobile device in a mobile device management system (MDMS),the method comprising the computer-implemented steps of: receiving asecurity policy at a client device; applying the security policy on theclient device; determining an occurrence of a security policy event;determining a violation based on the occurrence of the security policyevent; and applying different security controls based on predefinedelapsed times on the client device.

Another aspect of the present invention provides a mobile devicemanagement system for securing a client device, comprising: a clientdevice, comprising: a memory medium comprising instructions; a buscoupled to the memory medium; and a processor coupled to the bus thatwhen executing the instructions causes the client device to: receive asecurity policy; apply the security policy; determine an occurrence of asecurity policy event; determine a violation based on the occurrence ofthe security policy event; and apply different security controls basedon predefined elapsed times on the client device.

Another aspect of the present invention provides a computer-readablestorage medium storing computer instructions which, when executed,enables a computer system to secure a client device in a mobile devicemanagement system (MDMS), the computer instructions comprising:receiving a security policy at a client device; applying the securitypolicy on the client device; determining an occurrence of a securitypolicy event; determining a violation based on the occurrence of thesecurity policy event; applying different security controls based onpredefined elapsed times.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features of this invention will be more readilyunderstood from the following detailed description of the variousaspects of the invention taken in conjunction with the accompanyingdrawings in which:

FIG. 1 shows a representation of an exemplary enterprise mobile devicemanagement system (MDMS) diagram according to illustrative embodimentsof the present invention.

FIG. 2 shows a representation of an exemplary MDMS implementationincluding a security policy setup for a number of mobile clientsaccording to illustrative embodiments of the present invention.

FIG. 3 shows an operational flow chart for providing a mobile devicemanagement system (MDMS) according to illustrative embodiments of thepresent invention.

FIG. 4 shows an exemplary list of control levels according toillustrative embodiments of the present invention.

The drawings are not necessarily to scale. The drawings are merelyrepresentations, not intended to portray specific parameters of theinvention. The drawings are intended to depict only typical embodimentsof the invention, and therefore should not be considered as limiting inscope. In the drawings, like numbering represents like elements.

DETAILED DESCRIPTION

Exemplary embodiments will now be described more fully herein withreference to the accompanying drawings, in which exemplary embodimentsare shown. Embodiments described herein provide approaches relatinggenerally to location position management of mobile devices.Specifically, a mobile device management system is provided for securinga mobile device based on a predefined security policy. The mobile devicereceives a security policy created at a server, applies the securitypolicy, and monitors the status of the security policy. When a securityviolation of the security policy is detected, a security control measureis applied after a predefined amount of time has elapsed on a clientdevice.

It will be appreciated that this disclosure may be embodied in manydifferent forms and should not be construed as limited to the exemplaryembodiments set forth herein. Rather, these exemplary embodiments areprovided so that this disclosure will be thorough and complete and willfully convey the scope of this disclosure to those skilled in the art.The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of this disclosure.For example, as used herein, the singular forms “a”, “an”, and “the” areintended to include the plural forms as well, unless the context clearlyindicates otherwise. Furthermore, the use of the terms “a”, “an”, etc.,do not denote a limitation of quantity, but rather denote the presenceof at least one of the referenced items. It will be further understoodthat the terms “comprises” and/or “comprising”, or “includes” and/or“including”, when used in this specification, specify the presence ofstated features, regions, integers, steps, operations, elements, and/orcomponents, but do not preclude the presence or addition of one or moreother features, regions, integers, steps, operations, elements,components, and/or groups thereof.

Reference throughout this specification to “one embodiment,” “anembodiment,” “embodiments,” or similar language means that a particularfeature, structure, or characteristic described in connection with theembodiment is included in at least one embodiment of the presentinvention. Thus, appearances of the phrases “in one embodiment,” “in anembodiment,” “in embodiments” and similar language throughout thisspecification may, but do not necessarily, all refer to the sameembodiment.

The term “enterprise” used herein may refer to any organization, such asa a business entity (e.g., firm, company, etc.) that engages in businessactivities, such as the sale of a product or a service. Alternatively,the enterprise may be a non-profit entity, such as a charity.

The term “group” refers to any logical grouping made by an enterprisefor distinguishing among different types of persons or employees. Forexample, a group may comprise persons within a project team, department,geographical location (e.g., particular floor, building, branch, orcity), particular job role, or the like.

Referring now to FIG. 1, a representation of an enterprise-wide,policy-based mobile device management system (MDMS) 100 in which aspectsof the illustrative embodiments may be implemented is shown. MDMS 100comprises MDMS console 102, MDMS server 104, and MDMS client 106.Although FIG. 1 depicts one console, one server, and one client, it isunderstood that MDMS 100 may contain any suitable number of consoles,servers, and/or clients to meet the needs of the enterprise.

MDMS console 102 is the control monitoring station including a textentry and a display used for system administration. In one example, MDMSconsole 102 may comprise one or more physical devices consisting of aninput device and a display screen. The display screen may include anydisplay device, such as a cathode ray tube (CRT), liquid crystal display(LCD), light emitting diode (LED), projection, touch screen, or otherdisplay element or panel. The input device may include a computerkeyboard, a keypad, a mouse, a pen, a joystick, or any other type ofinput device by which an MDMS user may interact with and respond toinformation on the display screen.

MDMS server 104 interfaces with MDMS console 102 to allow secure remotemonitoring, support, and management of MDMS client 106 over acommunications network by a user (e.g., authorized MDMS administrator).The MDMS console 102 provisions, secures, and monitors all registeredenterprise mobile devices in a consolidated fashion. MDMS console 102monitors the policy status of mobile devices in real time. Proper actionis then taken based on the policy statuses of the mobile devices. MDMSconsole 102 interfaces with MDMS server 104 to perform the followingfunctions: group management 110, device management 112, device statusmanagement 114, and device policy management 116. The functions arediscussed in greater detail with reference to FIGS. 2-4 below.

In general, MDMS server 104 is responsible for executing policies andmonitoring. It allows administrators to manage endpoint mobile devices,such as MDMS client 106. MDMS server 104 allows administrators to setcontrol policies for specified mobile devices and the policies will beautomatically distributed to particular mobile devices immediately andthen executed instantly. In one example, all triggered events may belogged so that administrators can trace the details through the MDMSconsole 102 easily.

MDMS server 104 may communicate with any number of mobile devices, suchas MDMS client 106 using a communications protocol over a wirelesscommunications network. MDMS client 106 may include any mobile devicesuch as a smart phone, cell phone, personal digital assistant (PDA),laptop, or the like, that is operable within a wireless communicationsnetwork. The wireless communications network comprises any of: awireless local area network (LAN), a wireless wide area network (WAN), awireless peer-to-peer communications network, a code division multipleaccess (CDMA) communications network, a time division multiple access(TDMA) communications network, a global system for mobile communications(GSM) communications network, and the wireless Internet. Thecommunications network is operable to communicate data (includingsecurity policy and status information) between MDMS server 104 and MDMSclient 106.

In one example, MDMS console 102 may interface with a separate device toperform master security policy management 118 function. In otherexamples, MDMS console 102 may interface with MDMS server 104 to performthe master security policy management 118 function. Master securitypolicy management 118 may include managing all or a subset of thesecurity policies for the enterprise including creating, modifying,and/or deleting one or more policies based on the needs of theenterprise.

In some embodiments, MDMS server 104 may include server storage area 128and MDMS client 106 may include client storage area 130. Each storagearea may include a database or set of databases having data stored inany suitable format necessary to execute the functions of the respectivedevices (i.e., MDMS server 104 and MDMS client 106).

FIG. 2 shows a representation of an exemplary MDMS implementationincluding security policy setup for a number of mobile clients accordingto illustrative embodiments. Many enterprises allow staff to use smartphones and tablets to connect to their corporate systems. A number ofthese enterprises have reported security breaches caused by theirrespective staff, at times resulting in lost or leaked confidentialinformation. FIG. 2 depicts MDMS 200 including MDMS console 102, MDMSserver 104, and three MDMS clients 106A-C. As shown, each MDMS client106A-C is a smart phone.

MDMS console 102 shows security policy table 202. An authorized MDMSadministrator or security manager may establish various policies basedon different levels. The different levels may correspond to the neededsecurity levels of the different groups and/or areas of the enterprise.The MDMS security manager establishes a security policy through the MDMSconsole 102. MDMS server 104 creates the security policy and thesecurity manager causes the MDMS server 104 to push the appropriatesecurity policy to the designated MDMS client (e.g., MDMS client106A-C).

Security policy table 202 includes three columns of data: group, area,and security level. In one example, security profiles may begroup-based. In other examples, security profiles may be location-based.As shown, security policy table 202 shows the security policy setup forthree groups: Research and Development (R&D), Operations Department,Education Department, and Human Resources (HR). Each enterprise may bedivided into any number of “areas”, with each area being assigned asecurity level. In one example, an area defines the workspace for aparticular group. In other examples, an area may be defined using othermeans. R&D is located in Area A, the Operations Department is located inArea B, the Education Department is located in Area C, and HR is locatedin Area D. A security level is assigned to each group. In this example,R&D and HR are assigned a security level of 1. The Operations Departmentis assigned a security level of 2 and the Education Department isassigned a security level of 3. R&D and HR may be assigned a highersecurity level than the other areas due to the sensitive andconfidential data that may be located within the R&D and HR groups. Asecurity level may be represented by a unique number, symbol, character,character string, or any combination thereof.

Three distinct wireless areas are shown in MDMS 200 with each areahaving an assigned security level. The three areas are: policy area A204 (having security level of 1), policy area B 206 (having securitylevel of 2), and policy area C 208 (having security level of 3). MDMSclient 106A is located within policy area A 204. MDMS client 106B islocated within policy area B 206. MDMS client 106C is located withinpolicy area C 208.

Referring now to FIG. 3, an exemplary process flow diagram for providinga mobile device management system (MDMS) according to illustrativeembodiments is shown in greater detail. An example MDMS server 104 andMDMS client 106 having MDMS client operating system (OS) 302 aredepicted. As shown, device management policy 116 establishes a securitypolicy based on the needs of the enterprise at 302. At 304, the securitypolicy is pushed to a MDMS client 106. At 306, MDMS client 106 receivesthe security policy and applies it to the device. At 308, MDMS client106 monitors the security policy status. Mobile client OS 302 detects asecurity policy event at 310. At 312, a timer event is produced. Thetimer event begins a running clock of elapsed time beginning when thesecurity policy change event occurred.

At 314, a determination is made as to whether the security policy changeevent amounts to a security violation or breach. A security policy eventand/or potential security violation may include, but is not limited to,a device loss, a password lock after a predefined number of incorrectentries, or deletion/modification of an existing application. If thesecurity policy change event is determined to not be a securityviolation, the timer event is deleted at 316. If the security policychange event is determined to indeed be a security violation, the timerevent is checked to determine the amount of time that has elapsed sincethe security violation began.

At 318, the policy timer is produced. After a security violation hasbeen determined, the security measures taken are time-dependent. If anappropriate action is not taken by the user of the MDMS client 106,successive security measures which increase in severity will be taken bythe MDMS client 106. At 320, based on the elapsed time of the policytimer, a corresponding control level is applied to the MDMS client 106.At 322 and 324, MDMS client 106 continues to determine whetheradditional control levels should be applied and applies each controllevel at the appropriate time based on the timing associated with eachrespective control level. In one embodiment, different security controlsmay be applied based on predetermined elapsed times on the MDMS 106. Forexample, when a certain security control is applied based on a certainelapsed time, a security control may lower a security level and thelowered security level may be applied on the MDMS 106.

FIG. 4 shows an exemplary list of control levels according toillustrative embodiments of the present invention. For example, controllevel 402 may generate a notification immediately. Control level 404 maygenerate a popup notification after a minute has elapsed. Control level406 may block an application that is running after 2 minutes haveelapsed. Control level 408 may lock the device after 3 minutes haveelapsed. Control level 410 may erase private data stored on the deviceafter 10 minutes have elapsed. After 60 minutes have elapsed, controllevel 412 may erase any secure digital (SD) data. After more than 60minutes have elapsed, control level 414 may completely erase all data(i.e., reformatting the device or wiping out the device) from thedevice.

The control levels discussed above are illustrative only and notintended to be limiting. In certain embodiments, the steps describedabove with reference to FIG. 3 may be performed concurrently or in adifferent order than shown.

While shown and described herein as an MDMS solution, it is understoodthat the invention further provides various alternative embodiments. Forexample, in one embodiment, the invention provides acomputer-readable/useable medium that includes computer program code toenable a computer infrastructure to provide financial transaction recordgeneration functionality as discussed herein. To this extent, thecomputer-readable/useable medium includes program code that implementseach of the various processes of the invention. It is understood thatthe terms computer-readable medium or computer-useable medium compriseone or more of any type of physical embodiment of the program code. Inparticular, the computer-readable/useable medium can comprise programcode embodied on one or more portable storage articles of manufacture(e.g., a compact disc, a magnetic disk, a tape, etc.), on one or moredata storage portions of a computing device, such as memory 28 (FIG. 1)and/or storage system 34 (FIG. 1) (e.g., a fixed disk, a read-onlymemory, a random access memory, a cache memory, etc.).

In another embodiment, the invention provides a computer-implementedmethod for applying a security policy to a mobile device. In this case,a wireless infrastructure, such as implementation 100 (FIG. 1), can beprovided and one or more systems for performing the processes of theinvention can be obtained (e.g., created, purchased, used, modified,etc.) and deployed to the wireless infrastructure. To this extent, thedeployment of a system can comprise one or more of: (1) installingprogram code on a mobile device, from a computer-readable medium; (2)adding one or more computing devices to the wireless infrastructure; and(3) incorporating and/or modifying one or more existing systems of thewireless infrastructure to enable the wireless infrastructure to performthe processes of the invention.

As used herein, it is understood that the terms “program code” and“computer program code” are synonymous and mean any expression, in anylanguage, code, or notation, of a set of instructions intended to causea computing device having an information processing capability toperform a particular function either directly or after either or both ofthe following: (a) conversion to another language, code, or notation;and/or (b) reproduction in a different material form. To this extent,program code can be embodied as one or more of: an application/softwareprogram, component software/a library of functions, an operating system,a basic device system/driver for a particular computing device, and thelike.

A data processing system suitable for storing and/or executing programcode can be provided hereunder and can include at least one processorcommunicatively coupled, directly or indirectly, to memory elementsthrough a system bus. The memory elements can include, but are notlimited to, local memory employed during actual execution of the programcode, bulk storage, and cache memories that provide temporary storage ofat least some program code in order to reduce the number of times codemust be retrieved from bulk storage during execution. Input/outputand/or other external devices (including, but not limited to, keyboards,displays, pointing devices, etc.) can be coupled to the system eitherdirectly or through intervening device controllers.

Network adapters also may be coupled to the system to enable the dataprocessing system to become coupled to other data processing systems,remote printers, storage devices, and/or the like, through anycombination of intervening private or public networks. Illustrativenetwork adapters include, but are not limited to, modems, cable modems,and Ethernet cards.

The flowchart and block diagrams depicted in FIGS. 1-3 illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The foregoing description of various aspects of the invention has beenpresented for purposes of illustration and description. It is notintended to be exhaustive or to limit the invention to the precise formdisclosed and, obviously, many modifications and variations arepossible. Such modifications and variations that may be apparent to aperson skilled in the art are intended to be included within the scopeof the invention as defined by the accompanying claims.

What is claimed is:
 1. A method for managing the security of a clientdevice in a mobile device management system (MDMS), the methodcomprising; receiving a security policy at a client device, wherein thesecurity policy is based on at least one of a group and a location, thesecurity policy having a plurality of predefined elapsed timescomprising chronological time values and a different security controlassociated with each of the plurality of predefined elapsed times;applying, by a computing device, the security policy on the clientdevice; determining, by a computing device, an occurrence of a securitypolicy event; determining, by a computing device, a violation based onthe occurrence of the security policy event; and applying, by the clientdevice, a plurality of different security controls based on theplurality of predefined elapsed times on the client device, each of theplurality of security controls being an elevated security control; theapplying including performing on the client device, in response to eachof the predefined elapsed time being reached, an action specified by asecurity control associated with a reached elapsed time and the applyingfurther including: applying a first security control having a firstlevel when there are no security control, determining whether a secondsecurity control is exist, and applying the second security control,wherein the second security control has a second level being higherlevel than the first level.
 2. The method of claim 1, furthercomprising: establishing, by a computing device, a security policy at aserver; and monitoring, by a computing device, a status of the securitypolicy on the client device.
 3. The method of claim 1, whereindetermining a violation based on the occurrence of the security policyevent comprises generating a policy timer when the violation isoccurred.
 4. The method of claim 2, further comprising pushing, by acomputing device, the security policy from the server to the clientdevice via a communications network.
 5. The method of claim 4, whereinthe communications network is a wireless network.
 6. The method of claim1, wherein the client device comprises one of a smart phone, cell phone,laptop computer, notebook computer, tablet computer, or personal digitalassistant (PDA).
 7. The method of claim 1, wherein the security controlscomprise at least one of generating a notification, generating a popupnotification, blocking an application from running, locking the clientdevice, erasing data from the client device, or reformatting the clientdevice.
 8. A mobile device management system for securing a clientdevice, comprising: a client device, comprising: a memory mediumcomprising instructions; a bus coupled to the memory medium; and aprocessor coupled to the bus that when executing the instructions causesthe client device to: receive a security policy, wherein the securitypolicy is based on at least one of a group and a location, the securitypolicy having a plurality of predefined elapsed times comprisingchronological time values and a different security control associatedwith each of the plurality of predefined elapsed times; apply thesecurity policy; determine an occurrence of a security policy event;determine a violation based on the occurrence of the security policyevent; and apply a plurality of different security controls based on theplurality of predefined elapsed times, each of the plurality of securitycontrols being an elevated security control; the applying includingperforming on the client device, in response to each of the predefinedelapsed time being reached, an action specified by a security controlassociated with a reached elapsed time and the applying furtherincluding: applying a first security control having a first level whenthere are no security control, determining whether a second securitycontrol is exist, and applying the second security control, wherein thesecond security control has a second level being higher level than thefirst level.
 9. The system of claim 8, further comprising a server,wherein the server is configured to create a security policy.
 10. Thesystem of claim 9, wherein the server is further configured to push thesecurity policy to the client device via a communications network. 11.The system of claim 10, wherein the communications network is a wirelessnetwork.
 12. The system of claim 8, wherein the client device comprisesone of a smart phone, cell phone, laptop computer, notebook computer,tablet computer, or personal digital assistant (PDA).
 13. The system ofclaim 8, wherein the security controls comprise at least one ofgenerating a notification, generating a popup notification, blocking anapplication from running, locking the client device, erasing data fromthe client device, or reformatting the client device.
 14. Acomputer-readable storage device storing computer instructions which,when executed, enables a computer system to secure a client device in amobile device management system (MDMS), the computer instructionscomprising: receiving a security policy at a client device, the securitypolicy having a plurality of predefined elapsed times comprisingchronological time values and a different security control associatedwith each of the plurality of predefined elapsed times; applying thesecurity policy on the client device; determining an occurrence of asecurity policy event; determining a violation based on the occurrenceof the security policy event; and applying a plurality of differentsecurity controls based on the plurality of predefined elapsed times,each of the plurality of security controls being an elevated securitycontrol; the applying including performing on the client device, inresponse to each of the predefined elapsed time being reached, an actionspecified by a security control associated with a reached elapsed timeand the applying further including: applying a first security controlhaving a first level when there are no security control, determiningwhether a second security control is exist, and applying the secondsecurity control, wherein the second security control has a second levelbeing higher level than the first level, wherein the different securitycontrols are increasingly severe as the plurality of predefined elapsedtimes progress.
 15. The computer-readable storage device according toclaim 14, wherein the client device comprises one of a smart phone, cellphone, laptop computer, notebook computer, tablet computer, or personaldigital assistant (PDA).
 16. The computer-readable storage deviceaccording to claim 14, wherein at least one of the first securitycontrol or second security control comprises at least one of generatinga notification, generating a popup notification, blocking an applicationfrom running, locking the client device, erasing data from the clientdevice, or reformatting the client device.
 17. The computer-readablestorage device according to claim 14, wherein the security policy isassociated with a group or location.